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About the Supply Chain Review for the 
Energy Sector Industrial Base 


The report “America’s Strategy to Secure the Supply Chain for a Robust Clean Energy Transition” lays out the 
challenges and opportunities faced by the United States in the energy supply chain as well as the federal 
government plans to address these challenges and opportunities. It is accompanied by several issue-specific 
deep dive assessments, including this one, in response to Executive Order 14017 “America’s Supply Chains,” 
which directs the Secretary of Energy to submit a report on supply chains forthe energy sector industrial base. 
The Executive Order is helping the federal government to build more secure and diverse U.S. supply chains, 
including energy supply chains. 


To combat the climate crisis and avoid the most severe impacts of climate change, the U.S. is committed to 
achieving a 50 to 52 percent reduction from 2005 levels in economy-wide net greenhouse gas pollution by 
2030, creatinga carbon pollution-free power sector by 2035, and achieving net zero emissions economy-wide 
by no later than 2050. The U.S. Department of Energy (DOE) recognizes that a secure, resilient supply chain 
will be critical in harnessing emissions outcomes and capturing the economic opportunity inherent in the 
energy sector transition. Potential vulnerabilities and risks to the energy sector industrial base must be 
addressed throughout every stage of this transition. 


The DOE energy supply chain strategy report summarizes the key elements of the energy supply chainas well 
as the strategies the U.S. government is starting to employ to address them. Additionally, it describes 
recommendations for Congressional action. DOE has identified technologies and crosscutting topics for 
analysis in the one-yeartime frame set by the Executive Order. Along with the capstone policy report, DOE is 
releasing | 1 deep dive assessment documents, including this one, covering the following technology sectors: 


e carbon capture materials, 
e electric grid including transformers and high voltage direct current (HVDC), 
e energy storage, 
e = fuel cells and electrolyzers, 
e hydropower including pumped storage hydropower (PSH), 
e neodymium magnets, 
e nuclearenergy, 
e platinum group metals and other catalysts, 
e semiconductors, 
e solar photovoltaics (PV), and 
e = =wind 
DOE is also releasing two deep dive assessments on the following crosscutting topics: 
e commercialization and competitiveness, and 


e cybersecurity and digital components. 


More information canbe found at www.energy.gov/policy/supplychains. 
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Executive Summary 


On February 24, 2021, President Biden issued Executive Order 14017 on America’s Supply Chains directing 
the Secretary of Energy to submit a supply chain strategy overview report forthe energy sectorindustrial base 
(as determined by the Secretary of Energy). The U.S. Department of Energy (DOE) defines the Energy Sector 
Industrial Base (ESIB) asthe energy sector and associatedsupply chains that include all industries/companies 
and stakeholders directly and indirectly involved in the energy sector. The energy sector industrial base 
involves a complex network of industries and stakeholders that spans from extractive industries, manufacturing 
industries, energy conversion and delivery industries, end of life and waste management industries, and service 
industries to include providers of digital goods and services. 


As the energy sector has become more globalized and increasingly complex, digitized, and even virtualized, its 
supply chain risk for digital components — the software, virtual platforms and services, and data — in energy 
systems has evolved and expanded. 


All digital components in U.S. energy sector systems are vulnerable and may be subject to cybersupply chain 
risks stemming from a variety of threats, vulnerabilities, and impacts. This includes digital components in all 
systems within the ESIB, namely those systems operated by asset owners across different energy subsectors 
(e.g., electricity, oil and natural gas, and renewables) and the systems operated by a worldwide industrial 
complex with capabilities to perform research and development and design, produce, operate, and maintain 
energy sector systems, subsystems, components, orparts to meet U.S. energy requirements. 


Supply chain risks for digital components including software, virtual platforms and services, and data have 
grown in recent years as increasingly sophisticated cyber adversaries have targeted exploiting vulnerabilities in 
these digital assets. Supply chain risks for digital components in energy sector systems will continue to evolve 
and likely increase as these systems are increasingly interconnected, digitized, and remotely operated. 


Find the policy strategies to address the vulnerabilities and 
opportunities covered in this deep dive assessment, as well as 
assessments on other energy topics, in the Department of Energy 1- 
year supply chain report: “America’s Strategy to Secure the Supply 
Chain for a Robust Clean Energy Transition.” 


For more information, visit www.energy.gov/policy/supplychains. 
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1 Introduction 


As the energy sector has become more globalized and increasingly complex, digitized, and virtualized, its 
supply chain risk for digital components — the software, virtual platforms and services, and data — in energy 
systems has evolved and expanded. 


Supply chain risks for digital components in critical infrastructure systems have grown in recent years as 
increasingly sophisticated cyber adversaries have targeted exploiting vulnerabilities in these digital assets. In 
its Annual Threat Assessment for2021,the U.S. Intelligence Community noted, “During the last decade, state 
sponsored hackers have compromised software and IT service supply chains, helping them conduct 
operations—espionage, sabotage, and potentially prepositioning for warfighting.”! In a 2018 alert,” the 
Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) highlighted growing 
cybersecurity concerns and several cyber attacks specifically targeting the energy sector using, among other 
exploits, cyber supply chain vulnerabilities in trusted third-party suppliers with less secure networks. 


Based on these and other assessments, and reported cyber incidents, cyber attacks targeting all types of energy 
systems have been increasing over the past five years. Somekey examples of recent cyberincidents relevant 
to the energy sectorare described below. In December 2016, power was shut down forhundreds of thousands 
of users in Ukraine in the first confirmed cyber attack against an electric grid. In December 2017, a cyber 
attack ona safety instrumented system halted pipeline operations at Saudi Aramco,’ one of the world’s largest 
oil companies. In December 2020, a Russian software supply chain operation against the U.S.-based 
information technology (IT) firm SolarWinds, exposed approximately 18,000 customers worldwide, including 
enterprise networks across all levels of government; critical infrastructure entities; and other private sector 
organizations. The actors proceeded with follow-on activities to compromise the systems of some customers, 
including some U.S. Government agencies.*> In May of 2021, the Colonial Pipeline Company, the largest fuel 
pipeline in the United States, was the victim of a ransomware attack that led to shortages across the East 
Coast.°’ In November2021, Vestas, the world’s largest manufacturer of wind turbines, ® wasthe victim ofa 
ransomwarte attack that forced the company to shut down IT systems across multiple business units and 
locations.° In these and many other cases, improvements in the cybersecurity supply chain for digital 
components may have prevented or limited the compromise of energy sector systems impacted by these 
attacks. 


The importance of security of supply chains for digital elements and cyber supply chain risk management !° in 
the energy sector is growing. This importance is demonstrated by, among other things, recent updates to key 


' https://www.dni.gov/files/ODNI/documents/assessments/A TA -2021 -Unclassified-Report.pdf 
* https://www.cisa.gov/uscert/ncas/alerts/TA 18-074A 
3 https://www.eisac.com/cartella/Asset/00006542/TLP_WHITE_E-ISAC_SANS_Ukraine DUC_6 Modular_ICS_Malware%20Final.pdf?parent=644 12 
https://foreignpolicy.com/2017/12/2 1 /cyber-attack-targets-safety-system-at-saudi-aramco/ 

> https://www.dni.gov/files/ODNI/documents/assessments/A TA-2021 -Unclassified-Report.pdf 

° https://www.bloomberg.com/news/articles/2021 -06-04/hackers-breached-colonial-pipeline-using-compromised-password 

T https://www.energy.gov/ceser/colonial-pipeline-cyber-incident 
f https://gwec.net/gwec-releases-global-wind-turbine-supplier-ranking-for-2020/ 

* https://www.reuters.com/markets/europe/vestas-data-compromised-by-cyber-attack-202 1 -11-22/ 

'° This report applies the definition of cybersecurity supply chainrisk management developed by the National Institute of Standards and Technology, 
which is a systematic process for managing exposures to cybersecurity risks, threats, and vulnerabilities throughout the supply chainand developing 
appropriate response strategies presented by the supplier, the supplied products, services, and the supply chain. 

https://nvlpubs .nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161rl-draft2 pdf 
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supply chain security policies that apply to energy sector systems including the 2021 draft update of the 
National Institute of Standards and Technology’s (NIST’s) special publication, Cybersecurity Supply Chain 
Risk Management Practices for Systems and Organizations,''! andby the North American Electric Relia bility 
Corporation’s (NERC’s) 2018 update to its Critical Infrastructure Protection (CIP) standards to include supply- 
chain protections.'* However, even with these updated policies, gaps still exist. NIST standards and 
guidelines are generally voluntary for private sector-operated systems and NERC CIP standards only apply toa 
subset of systems and components that impact safety and reliability at a subset of electric utilities. 
Additionally, even where requirements exist, efforts to measure internet-facing security provide, at best, an 
indirect bellwether of the cybersecurity of technology used in energy sector controlsystems. 


All digital components in all types of U.S. energy sector systems are vulnerable and may be subject to cyber 
supply chain risks stemming from a variety of threats, vulnerabilities, and impacts. This includes all systems 
within the U.S. Energy Sector Industrial Base (ESIB), namely those systems operated by asset owners across 
different energy subsectors (e.g., electricity, oil and natural gas, and renewables) and the systems operated by a 
worldwide industrial complex with capabilities to perform research and development and design, produce, 
operate, and maintain energy sector systems, subsystems, components, or parts to meet U.S. energy 


Compute 

+ Apps 

+ Platforms 

* Cloud Agents 


it itt 
Ge) 


Network infrastructure tier 


* Protocol Conversion  “s- 
* Routing A 
" Switching Sensors, Machines, Assets 


requirements. 


Figure 1. Illustration of IT-OT Convergence. 


There are two categories of technology systems used in energy sector systems. IT systems perform the secure 
processing of data, information, applications, and communications, whereas operational technology (OT)!4 
systems perform the safe operation and control of physical devices and processes. In legacy system 
architectures, IT and OT comprise separate domains with different components, functions, characteristics, 
security practices, and organizationaland reporting structures. Over time, these systems have evolved and are 


" https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-1 6 Irl-draft2 pdf 
2 https://www.nere.com/pa/Stand/Reliability%20Standards/CIP-013-2.pdf 
'3 https:// b.com/blog/what-itot- 
ps://www.arcweb.co log/what-itot-convergence 
‘4 https://esre.nist gov/glossary/term/operational_ technology 
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becoming increasingly automated, interconnected, digitized, and remotely operated. In modern technology 
architectures built to optimize efficiency and automation, such as those found in smart cities, IT and OT 
systems are increasingly interconnected. As the convergence of IT and OT continues, digital supply chains 
with become increasingly interdependent and risks between the two will be increasingly shared. 


For purposes of this assessment, “Cyber’ components are defined as those components encompassing all 
digital elements in the energy sector supply chain. This includes: 


e Firmware — The permanent software programmed into a read-only memory; provides the low-level 
controlon a device for a device's specific hardware. Any component that has storage/memory, 
integrated circuit hardware, or programmable controls operates firm ware. 


e Software — The applications that run ona system, that perform functions and process data. 


e Virtual Platforms and Services— Cloud-based platforms, on the internet or on premise, that run 
applications, perform services, and store data. 


e Data — The information used as inputs and outputs into processes and functions operated by software. 


Inan ESIB context, physicalcomponents in energy systems (for example, large power transformers) typica lly 
include integrated firmware and are operated with software as part of a system. This assessment is limited to 
the cyber components of such physicalsystems. 


The “map” of the supply chain for digital components is complex, fragmented, and virtual. Because software 
and system development are conducted virtually, the “map” of the supply chain generally follows the process 
steps involved, versus a geographic model. The process steps involved in software and system development 
are typically described asthe software (or system) development life cycle (SDLC). The NationalInstitute for 
Standards and Technology (NIST) defines System Development Life Cycle as “[t]he scope of activities 
associated with a system, encompassing the system’s initiation, development and acquisition, implementation, 
operation and maintenance, and ultimately its disposal that instigates another system initiation.”!> These 
standard process steps can be broken down into a variety of sub-tasks and conducted virtually anywhere, i.e., 
sourced globally, based on factors including cost and availability of a skilled workforce, communications 
connectivity, and technology platforms. 


15 https://csre.nist.gov/glossary/term/sdlce 
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6 Phases of the Software Development Life Cycle 


Product Owner 
Project Manager 
Business Analyst 


cTo 


System Architect 


UX/UI designer 


Front-end Developer 


Back-end Developer 


+ Solutions Data Users 
Architect Administrator 
Testers 
+e QA Engineer DevOps 
Support managers 


-—e Tester 


—e DevOps 


Figure 2. Phases of the Software Development Life Cycle Process. ‘® 


2 U.S. Cyber Supply Chain Risks 


In the world of cybersecurity risk management, risk is commonly defined as threat times vulnerability times 
consequence. The objective of cyberrisk management is to mitigate vulnerabilities to threats and the potential 
consequences that could occur if vulnerabilities are exploited, thereby reducing risk to an acceptable level. 
When applied to cyber supply chain risk management, this equation provides insights on the steps 
organizations can take to mitigate such risks. 


NIST defines Cyber Risk as the “[r]isk of financialloss, operational disruption, or damage, from the failure of 
the digital technologies employed forinformationaland/or operational functions introduced to a manufacturing 
system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or 
destruction of the manufacturingsystem.”!7 


This section reviews key types of cyber supply chain threats and vulnerabilities associated with digital 
components in energy sector systems. The threats and vulnerabilities described here represent long-standing, 
complex, and often intractable issues. While the descriptions provided here focus on the energy sector and 
where appropriate, highlight issues related to OT and industrial control systems (ICS),!* these cyber supply 
chain issues are also of high concem in Information andCommunications Technology (ICT) systems and all 
digitized critical infrastructure systems. In general, supply chain risks for digital components in energy sector 
systems are consistent with those identified for ICT, and all stakeholders in the ESIB operate some form of 


16 https://brocoders.com/blog/agile-software-development-life-cycle/ 
"7 https://csre.nist.gov/glossary/term/cyber_risk 
'S https://cesre.nist gov/glossary/term/industrial_control_system 
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ICT. In addition, energy sector systems face unique cyber supply chain risks associated with digital 
components in OT and ICS. Finally, energy sector systems face cyber supply chain risks associated with the 
software used to connect ICT and OT systems to realize efficiencies; this convergence of IT and OT systems 
continues to increase.!? Overall, supply chain risks for digital components in energy sector systems will 
continue to evolve and likely increase as these systems are increasingly interconnected, digitized, and remotely 
operated. 


2.1 National Security Risk 


The risk for damage to energy sector systems from national security threats is increasing. Adversary nations 
have demonstrated an increasing willingness to use cybersecurity attacks on critical infrastructure, including 
energy systems, asa preparatory step in escalating tensions among nations. Cyberattacks have, to date, been 
used as a means for adversaries to interfere with U.S. critical infrastructure while limiting the likelihood of 
escalation or the retaliation that would invariably accompany a kinetic attack. Several adversary nations 
include such preparations as part of their stated war doctrine, and at least one (Russia) has demonstrated use of 
cyber attacks on power grids as a precursor to kinetic attacks (in Georgia and Ukraine). In its Annual Threat 
Assessment for 2021, the U.S. Intelligence Community noted: 


“Since 2006, Russia has used energy as a foreign policy tool to coerce cooperation and force states to 
the negotiating table. After a price dispute between Moscowand Kyiv, for example, Russia cut off gas 
flows to Ukraine, including transit gas, in 2009, affecting some parts of Europe fora 13-day period. 
Russia also uses its capabilities in civilian nuclear reactor construction as a soft-power tool in its 
foreign policy.” 7° 


Adversaries often exploit cyber supply chain vulnerabilities to achieve a range of potential effects to include 
cyber espionage, organizational disruption, or other impacts.*! Cyber supply chain vulnerabilities can be 
introduced either at the point of IT or OT software development (by compromisinga manufacturer’s network ) 
or via system updates after insta llation, such as software patches (by compromising an asset owner’s system), 
to gain and maintain persistent access to critical infrastructure systems. In energy sector systems, creating the 
capability to generate cyber effects ona system (e.g., to take a system offline) frequently involves successfully 
exploiting a cybersupply chain vulnerability in a business IT network to gain entry, and subsequently moving 
laterally within the system into an operational technology network — if IT and OT networks are not properly 
segmented from one another— where the ability to interfere with industrial control systems exists. 


2.2 Criminal Activity Risk 


The risk for damage or destruction of energy system equipment from malicious cyber actors with criminal 
motives is increasing. Historically, energy sector systems have not presented an attractive target for cyber 
criminal actors, as asset owners do not generally possess significant amounts of monetizable information to 
stealrelative to other targets. However, ransomwate is a more pernicious threat for energy sectorsystemsas it 
can deny or degrade system availability, and a top requirement for energy sector systems is continuous 


'° https://gca.isa.org/blog/it-ot-convergence-managing-the-cybersecurity-risks 
?° https://www.dni.gov/files/ODNI/documents/assessments/A TA -2021 -Unclassified-Report.pdf 
*! https://www.dni.gov/files/NCSC/documents/news/201 80724-economic-espionage-pub.pdf 


CYBERSECURITY AND DIGITAL COMPONENTS SUPPLY CHAIN DEEP DIVE ASSESSMENT 


availability. Malicious cyber actors understand that the priority fora vaila bility for energy systems makes these 
system owners more likely to pay quickly to restore service, rather than face days, weeks, or months of 
downtime to restore from backups. A January 2022 report from a commercial cyber threat analysis company 
found that 20% of ransomware attacks in the third quarter of 2021 targeted utilities, and utilities are the second 
most-targeted critical infra structure sector.” 


Ransomware is typically introduced into a victim network through email via a phishing campaign as the initial 
infection vector. However, the compromise of the SolarWinds Orion platform, publicly announced in 
December 2020, demonstrated that ransomware can be introduced by compromising the software supply chain, 
through malicious code inserted into a routine software patchingcycle. The ease of conductingransom ware 
attacks and the ability to elicit a quick payoffmeans that these types of attacks will continue to beanissue for 
the energy sector. 


2.3 Reliance on Foreign Suppliers 


Cybercomponents in energy sector systems are globally sourced in an increasingly fragmented and dynamic 
digital supply chain. Software for IT and OT systems is increasingly developed in foreign countries where 
skilled labor pools exist, internet connectivity is available, and lower wages are common. Cybersupply chain 
risks stem from several conditions related to this reliance on lower cost foreign suppliers of software, which 
may be designed, developed, manufactured, maintained, or supplied by persons owned or controlled by, or 
subject to the jurisdiction or direction of, a foreign adversary. 


Under these conditions, software and firmware can be developed by untrusted individuals who could insert 
malicious code that is difficult to detect due to the size and complexity of these systems. Additionally, 
software, firmware, and datasets can be developed in adversary nations that practice ubiquitous collection of 
all digital information on networks that transit their territory, which creates an opportunity to insert malicious 
code or otherwise interfere in software developed within their borders or compromise the integrity of datasets. 


Similarly, virtual platforms and services that are hosted in datacenters resident in some adversary nations are 
subject to the same types of collection and interference. The compromise of the SolarWinds Orion platform is 
the most serious recent example that demonstrates that any software maintenance supply chain is vulnerable to 
manipulation at the hands ofa strategic, well-resourced nation-state operation. 


2.4 Opaque Supply Chains for Cyber Components 


Software and firmware code that operates digital and non-digital components in energy sector systems is 
enormous and highly complex, consisting of hundreds of thousands of lines of code and thousands of 
subroutines. 


In modem systems development, software code is assembled from parts and pieces of older code from a huge 
variety of original and indirect sources with differing levels of quality and of integrity assurance. 
Consequently, it is extremely difficult to track the provenance and source of all code in software and digital 


 https://www trellix.com/en-us/threat-center/threat-rep orts/jan-2022 html 
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components in order to illuminate and manage the risk of supply chain compromise by ensuring that the code 
stems from trustworthy sources. 


Nearly all developers routinely share and reuse code libraries and common subroutines, collectively known as 
open source software, to save time. Open source software is software that is publicly distributed with its 
source code and available for reuse and modification. Use of open source software is rising at a rapid rate. 
One recent study found that, as of 2020, commercial applications contain an average of 528 open source 
components, an increase of 259% over the past 5 years.3 


While increasingly ubiquitous due to its convenience and efficiency, open source software is an increasing area 
of concem from a cybersecurity standpoint. Open source software frequently comes without a clear 
provenance and is often not consistently maintained (for example, with security updates), creating cyber 
supply chain risks. As noted in a 2022 White House Meeting on Software Security,?4 open source software 
has unique security challenges because of its breadth of use and voluntary nature of security updates and 
maintenance. Additionally, cyber adversaries actively use open source code libraries to disperse malicious 
code to unsuspecting software developers; recent examples abound of adversary use of this exploit.*° 


2.5 Highly Dynamic Technology Marketplace 


Technology companies, including those that develop digital components for energy sector systems, exist in a 
highly dynamic global marketplace characterized by a high degree of mergers and acquisitions (M&A) 
activity. As new technology innovators arise, they are often purchased by larger companies. More mature 
technology business units are bought and sold frequently. 


Acquisitions of technology companies often result in re-branding and integration of digital components into 
larger product suites, obscuring the provenance of these subcomponents. M&A activity can result in rapid 
changes in foreign ownership and control that are difficult to determine, much less track, and adversary nations 
often actively seek to obfuscate foreign ownership and control. Assumption of controlof a technology 
company often means access to allsource code, sensitive current and historical customer data, and continuing 
access to customer systems for maintenance. 


Adversaries have aggressively increased procurement of and investment in strategically important technology 
companies.*° Among other things, the Foreign Investment Risk Review Modernization Act of 2018 
(FIRRMA)?? (Pub. L. 115-232) expanded the authority of the Committee on Foreign Investment in the United 
States (CFIUS) to review transactions involving foreign investment into U.S. businesses with critical 
technologies. At the same time as FIRRMA, Congress passed the Export Control Reform Act which, among 
otherthings, created a process foridentifying emerging and foundational technologies that should be added to 
existing U.S. export controls. 


2 https://www.synopsys.com/software-integrity/resources/analy st-reports/open-source-security-risk-analysis.html?cmp=pr-sig 

a https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/13 /readout-of-white-house-meeting-on-software-security/ 

°5 See, for example, https://arstechnica.com/information-technology/2021 /12/malicious-packages-sneaked-into-npm-repository-stole-discord-tokens/ 
°6 See statistics for the 2020 CFIUS Annual Reportat: https://home.treasury.gov/system/files/206/CFIUS-Summary-Data-2008-2020.pdf 

°7 https://home.treasury .gov/sites/default/files/20 18-08/The-Foreign-Investment-Risk-Review-Modernization-Act-of-2018-FIRRMA_0.pdf 
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2.6 Concentrated Cyber Risk 


Critical infrastructure systems, including energy sector systems, frequently rely on a limited number of 
strategically important software components. While there is nota single point of failure in software, firmware, 
and virtual platforms that support energy sector systems, there are many examples of ubiquitous cyber 
components that, if compromised collectively, could have an outsized impact on energy sector systems. 


This dependency has been a strategic target for software supply chain attacks, most notably the SolarWinds 
Orion platform compromise (December 2020),?® where the Russian Foreign Intelligence Service (SVR)*? 
targeted an obscure administrative software component with extremely broad usage. Many recent software 
supply chain attacks,*° includinghighly publicized cyber attacks on Codecov’s Bash Uploader script January 
2021),3! Kaseya Limited’s VSA software (July 2021),3* and Apache’s Log4j software library (December 
2021),?3 have pursued a similar approach. That is, recent software supply chain attacks have sought to identify 
software and virtual platforms with a high strategic value to target for compromise. Some attributes of software 
and with high strategic value include software that: is broadly used or present in a high percentage of systems; 
accesses network credentials as part of its normal operations; runs below the application layer and is less 
visible to network managers; and frequently goes unpatched for long periods of time. 


The fact that many internal critical infrastructure systems and components are dependent on some form of 
servicing (i.e., remote or direct upgrades, patches, etc.) increases the attack surface for these components. 


2.7 Fragmented and Inconsistent Oversight 


There is no holistic definition or framing of the constituent digital supply chains for energy sector systems. 
The dispersal and complexity of these digitalsupply chains results in a fragmented approach to prioritizing and 
managing interdependent cybersecurity risks. 


Executive Order 14017 “America’s Supply Chains,” directs the Secretary of Energy to submit a report on 
supply chains for the energy sector industrial base (as determined by the Secretary of Energy). While the 
Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published a 
description of the ‘energy sector’ in its taxonomy of critical infrastructure sectors,*4 the ‘Energy Sector 
Industrial Base’ has not been formally defined. 


At an operational level, the ESIB are both broad and diverse. Digital portions of the supply chain for the ESIB 
are sourced from several critical infrastructure sectors (as defined in Presidential Policy Directive-2135). These 
interdependent sectors include Information Technology, Communications, Transportation Systems, and 


°8 https://www.cisa.gov/uscert/ncas/alerts/aa20-352a 
> https://www.whitehouse.gov/briefing-room/statements-rel eases/202 1/04/15 /fact-sheet-imposing-costs-for-harmful-forei gn-activities-by-the-russian- 
government/ 
° For a list of significant cyber incidents since 2006, see https://csis-website-prod.s3.amazonaws.com/s3 fs- 
public/220203_Significant_Cyber_Incidents.pdf?6nUHMBGT7zrGtFleHU4 gGdjD7dXFObfO 
*' https://www.cisa.gov/uscert/ncas/current-activity/2021 /04/30/codecov-releases-new-detections-supply-chain-compromise 
* https://www.cisa.gov/uscert/kaseya-ransomware-attack 
3 https://www.cisa.gov/uscert/ncas/alerts/aa2 1-356a 
34 https://www.cisa.gov/energy-sector 
- https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil 
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Critical Manufacturing. Each of these sectors hasa different federal Sector Risk Management Agency *° and 
derivative organizing structures around cybersecurity and physicalrisks. 


Some portions of the digital supply chains that support the ESIB, suchas the bulk electric system and certain 
aspects of pipelines, are regulated; many are not. Regulation and oversight, where they do exist, are provided 
by multiple federal departments and agencies, and multiple levels of state, local, tribal, and territorial 
governments, each with different approaches. Multiple security standards regimes and guidelines apply to 
ESIB digital supply chains, and gaps and overlaps exist. There is no holistic approach to prioritizing risks, 
investments, ortrade-offs. 


At the same time, digital components in energy sector systems are being increasingly interconnected into 
complex and interdependent systems. Interconnection among constituent portions of the ESIB are often based 
on consciously or unconsciously assumed, unverified trust. Residual supply chain risk from non-mitigated, 
fragmentary oversight is consequently transferred across and among sites, systems (for example, between IT 
and OT), and asset owners. 


3 High-Integrity Data — A Critical Emerging Element 
of America’s Digital Supply Chains 


Aggregated and curated data has become a valuable global commodity and is nowa critical part of global 
digital supply chains. Data is the key raw ingredient for artificial intelligence and machine learning (AI/ML), 
and the ever-larger datasets needed to fuel AI/ML are impractical to move, necessitating edge computing in 
globally distributed locations. The rise of AI/ML research, capability development, andapplied uses, coupled 
with the immobility of big data, are fuelnga growing commercial market in “Data asa Service” and AI model 
development and training “asa Service” offerings. 


Data presents a cyber supply chain risk similar to that posed by software. The supply chain for data includes 
creation, curation, correlation, and ultimately an infinite number of uses. Each link along this supply chain 
presents vulnerabilities that can be exploited by a capable adversary. Within the past five years, significant 
research has demonstrated that malicious, covert manipulation of datasets used in AI training can cause 
significant and nearly impossible-to-detect system failures. 3’ 


Concurrently, AI/ML are emerging technologies critical to the current and future national and economic 
security of the United States. Given projections for global AI/ML growth, and adversary interest, data is now 
a Strategic national resource. With the increasing application of AI/ML capabilities to the operation and 
defense of U.S. energy sector systems, and the centrality of DOE AI/ML research and development efforts 


*6 Pursuant to PPD-21 and FY2021 National Defense Authorization Act Section 9002. 
57 See, for example, T. Gu, B. Dolan-Gavitt, S. Garg; “BadNets: Identifying Vulnerabilities in Machine Learning Model Supply Chain.” (2017) 
https://arxiv.org/pdf/1708.06733.pdf 
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(housed at the DOE National Laboratories) to nationaland economic security, a proactive approach to ensuring 
cybersecurity and integrity of the global supply chain for data is needed. 


As with most technical innovations, however, requirements, standards, and policies related to making critical, 
data-reliant operations cyber secure are lagging at best. Consequently, filling this gap — establishing 
requirements forcyber supply chain security for high-integrity datasets and data-related commercialservices — 
is a critical emerging national security need. 


Executive Order (E.O.) 14017, section 1, sets out a policy foundation for “resilient, diverse, and secure sup ply 
chains” to ensure U.S. economic prosperity and national security, with a particular emphasis on maintaining 
America’s competitive edge in research and development.**® E.O. 14017 notes that cyberattacks, geopolitical 
and economic competition, and other conditions can reduce the integrity of critical goods, products, and 
services. This emphasis on integrity applies to digital components including data and data-related commercial 
services. 


3.1 AI/ML Basics — Criticality of High-Integrity Data 


Artificial Intelligence (AI) is a branch of computer science focused on the research and development of 
computing capabilities that mimic human intellectual capabilities. AI aims to empower machines to act on 
their own and perform human-like functions, such as perceiving, learning, discovering new facts, 
recommending decisions, and acting independently. 


The foundation of any AI capability is an AI model — a flexible and adaptive algorithm that guides the 
execution of a user-defined sophisticated task. AI models are trained to perform these tasks by analyzing very 
large sets of curated data related to the target tasks. Curated data is information collected from many sources 
and is organized, consistently formatted, categorized, and classified. 


At a basic level, AI models are used to analyze data and perform different analytic tasks depending on their 
training approach. AI models are trained in what is termed as a supervised or unsupervised approach. The 
principal difference between the two training approaches is the level of curation of the data used in training. 
Supervised training uses highly curated data to train an AI model to predict future inputs (e.g., image 
recognition). Unsupervised training uses unlabeled data inputs to discover new pattems and relationships 
among the data. A classic example of an unsupervised model is one that can find geographic clusters in a 
large volume of spatial data (for example, Internet Protocol addresses associated with the geographic 
locations). 


Supervised AI models are optimized to perform specific tasks and are trained using datasets specific to the task 
being performed. For example, training an AI to detect abnormal (and potentially actionable) cyber events 
requires large datasets curated to depict aspects defined as “normal” as well asthe behaviors associated with 
malicious cyber activities. This training data helps the AI models to recognize the cyberevents of interest. In 
general, the larger the training data set used, the more effective the AI model will be in detecting abnormal 
events. 


8 Executive Order on America's Supply Chains | The White House 


10 


CYBERSECURITY AND DIGITAL COMPONENTS SUPPLY CHAIN DEEP DIVE ASSESSMENT 


In general, AI models are used to automate increasingly more sophisticated tasks anddiscovernew facts. The 
development and overall effectiveness of these models is a factorof the volume and quality of the data used in 
training. The data is used as training material from which the AI learning process draws inferences about the 
properties of real-life phenomena. In order to generalize better across the different problem domains and 
settings, and to broaden and enrich the correlations made by the model, an AI needs data from diverse sources, 
in various formats, and in as large of volumes as possible. The greater the representation of the desired 
phenomena present in the dataset, the greater the optimization of the AI model. 


The AI model’s dependence on datais also its vulnerability as the quality of modeltraining is only as good as 
the quality of datasets used. State-of-the-art deep learning models exhibit a high level of sensitivity to minute 
details and the hidden correlations present within the data. One way in which this sensitivity has been 
identified as a problem is in the potential to create inherent, inadvertent biases in results if AI models are 
trained with limited datasets. Another problem stemming from this sensitivity is the ability to maliciously 
manipulate results. 


3.2 Adversarial Artificial Intelligence 


A relatively new field of research, Adversarial AI, focuses on how to corrupt, confuse, and manipulate AI 
models, either by interfering with their learning process or with their decision making. There are a number of 
types of attacks that exploit the leamingand functioning of the AI, but the attack of particularrelevance forthe 
data supply chain is known as data poisoning. 


Data poisoning or model poisoning involves corrupting the integrity of the dataset used in training to impact 
the AI model's ability to perform correctly (i.e., make correct predictions). By inserting artfully manipulated 
data, researchers have demonstrated the ability to generate incorrect and inaccurate results.7? These 
manipulated results were difficult to detect and were unexpectedly persistent when introduced at an early stage 
of modeltraining, even with subsequent rounds of trainingusing unaltered datasets.4° For data poisoning to 
be successful, the attacker aims to gain access to the model’s training data, and, somewhere in the supply chain 
of that training data, insert malicious content specifically designed to impact the result. 


To illustrate this with an example from cyber defense, an attacker that has access to training data for cyber 
defense (e.g., samples of network traffic), could insert some artificially crafted behavior in the network data 
that is labeled as “benign” or normal network traffic. When AI is trained on this data, it will lear to associate 
the presence of that artificially crafted behavioras “normal” while detecting network behaviors present in other 
data sets as malicious. Later, when this AI model is deployed in an operational setting, an adversary could 
make malicious activity produce the same network signature as the artificially crafted behavior that was 
previously seen, and the AI model will wrongly classify that activity as benign, or normal. 


The ability to conduct these kinds of data supply chain attacks have been demonstrated by researchers in 
numerous other scenarios. 


* Schwarzschild, Avi, Micah Goldblum, Arjun Gupta, John P. Dickerson, and Tom Goldstein. "Just how toxic is data poisoning? a unified benchmark for 
backdoor and data poisoning attacks." In International Conference on Machine Learning, pp. 9389-9398. PMLR, 2021. 
“1. Goodfellow, J. Shlens, C. Szegedy; “Explaining and Harnessing Adversarial Examples.” (2015) https://arxiv.org/pdf/1412.6572.pdf 
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3.3 Data and the Global Digital Supply Chain 


A traditional supply chain is a complex, global activity, fundamental to the globalized, interconnected 
economy and the underlying logistics operations. It nvolves demand planning, asset management, warehouse 
management, transportation and logistics management, procurement, and order fulfillment. 


Likewise, a data supply chain is a critical component of the digital economy, with an increasing focus on the 
Al-supported branches of commerce such as finance, energy delivery, trade, and online sales. And just like a 
traditional supply chain, a data supply chain involves its own form of end-to-end planning of data collection, 
preparation, warehousing, and use in the end-product delivery, which is either delivery of some analytic end 
product (e.g., an analysis, product recommendation, or financial transaction) or the trainng and development 
of the AI/ML models that would be used in some other contexts. 


Logistics of the data supply chain are becoming increasingly complex and challenging. As the numberof data 
sources grows and the size of the datasets used in the supply chain increase, the ability to move this data is 
correspondingly more difficult. Beyond a certain point, large datasets are no longer practical to transferamong 
networks for processing and instead remain with a data custodian. At this point, the analysesand further data 
products or models that are derived from large datasets are performed at the edge, where the datasets reside. In 
this scenario, verification of the sources and integrity of the data becomes more difficult. Additionally, the 
large volumes of data used in AI training make verification of results after processing difficult and ineffective. 


For these reasons, a strategic approach to managing the risks associated with use of third-party training 
datasets and measures to ensure data supply chain integrity are needed. Assurance methods must be scalable to 
accommodate the volumes of the data used in AI/ML training, must be portable (1.e., canbe deployed to the 
data in place), and must be sophisticated enough to detect the data tampering attempts, such as the ones present 
in the data poisoning attacks. 


Table 1. Data Lifecycle and Digital Supply Chain. 


Collection Pre-processing Storage Labeling and 
Organization 


Source selection je Datacleaning je Selection of Training labels AI/ML model 
Data intake Data appropriate storage design training 
Data sampling harmonization formats Manualand Data science 
and filteringat thele De- Storage i inge Knowledge 
source identification optimization i discovery 
Biasdetection Je Security and Business 
and removal privacy assurance Intelligence and 
Integrity checks Reporting 
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Recently, a whole new commercial marketplace for AI models has emerged around “pre-trained” AI models. 
Hundreds of pre-trained AI models are now commercially available for tasks like object detection, buyer 
propensity, natural language processing, data extraction, and feature engineering. These models have been 
trained on public or private datasets and are re-usable. Pre-trained models are developed on mostly publicly 
available datasets such as Wikipedia and are then fine-tuned using custom or proprietary datasets. In this 
scenario, the digital supply chain of how the AI model was developed and howit was pre-trained with data is 
typically not disclosed, and managing the risks associated with these functions is difficult if not impossible. 


As with most technical innovations, however, requirements, standards, and policies related to making critical, 
data-reliant operations cyber secure are lagging at best. Consequently, filling this gap — establishing 
requirements forcyber supply chain security for high-integrity datasets and data-related commercial services — 
is a critical emerging national security need. 


3.4 Importance of Data to Energy Sector Systems 


The energy sector is a heavy user of modelling and simulation functions. Modeling and simulation play a 
critical role in energy systems engineering because it is the primary tool used in complex energy system 
design, analysis, optimization, control, and change management. Consequently, the energy sector industrial 
base is a significant user of data to support modelling and simulation capabilities. 


Within the federal technical community, the Department of Energy is one of the major big data processors. 
Through its scientific facilities, energy infrastructure components and instruments, environmental sensors, and 
other technology components, DOE is a major producerand a consumer of data. This data is then used to train 
a variety of models, including the models that simulate the behavior of the cyber-physical systems, the 
“health” of the components on an energy grid, energy systems, and more. Given the breadth and complexity of 
modelling and simulation capabilities in energy systems, DOE and the National Laboratories are also key users 
of AI/ML capabilities. 


3.5 Importance of Data and Al at DOE’s National Laboratories 


Historically, DOE’s National Laboratories have been the global leaders in high-performance computing. For 
decades, National Laboratories have operated some of the most powerful supercomputers in the world. As 
computing evolved, the focus of research at the National Laboratories has recognized the need to couple data - 
intensive computing with traditional simulation-focused computing. Today, the National Laboratories operate 
the most powerful national high-performance computing systems that are also affective AI systems and are 
progressing towards the new, exascale capabilities forresearch and applied tasks. 


There are numerous examples in basic and applied energy research, human and system biology, physics, 
chemistry, materials science, and otherresearch that illustrate the importance of the data forthe efforts at the 
DOE’s National Laboratories and the role they play in advanced Al-focused computing. For the efforts like 
this, the integrity of the data, and the protections, and the integrity of the data and the models are critical. 
Consequently, the availability of high-quality, high-integrity dataset that can be used in Al-based computing 
tasks is of particularand strategic interest to DOE. 
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While research and applied uses of AI/ML are still nascent, Al is regularly cited asa critical emerging strategic 
technology. In March 2021, the National Intelligence Council’s “Global Trends 2040 Report” (a report issued 
every five years by the USS. Intelligence Community to highlight top issues related to National Security that 
policy makers need to take into account), cited for the first time the criticality of AI.+! Additionally, the 
People’s Republic of China’s “Made in China 2025” plan highlights national goals to become globally 
dominant in key technologies, including AI.4? 


A number of strategies and policies related to AI/ML are in various stages of development across several 
federal departments and agencies (Table 2). A survey of these efforts indicates that none have identified a 
specific effort related to ensuring the integrity of datasets and data-related commercial AI services. 
Consequently, a strategic opportunity exists to append unique concepts around protecting the global supply 
chain of data to otherrelated federalefforts. 


Table 2. Bibliography of Federal Al/ML Strategies and Efforts Reviewed. 
Federal Agency Title | Link 


https://www.nist.gov/artificial-intelligence/ai- 


NIST Al Policy Contributions policy-contributions 


NIST Al Risk Management Framework https://www.nist.gov/itl/ai-risk-management- 


framework 
F https://www.nist.gov/system/files/documents/2 
Aer Texene ny.onmufick 021/10/15/taxonomy_Al_risks.pdf 
Department of 
Defense/Joint https://www.govconwire.com/2021/04/jaic- 


Artificial nine ene Management 
Intelligence PP 
Center 


seeks-data-preparation-management-support- 
for-dods-ai-development-initiatives/ 


Office of Science The National Artificial Intelligence 
and Technology Research Resource Task Force 

Policy and (NAIRRTF) https://www.ai.gov/nairrtf 
National Science 

Foundation 


4" https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf 
® https://crsreports.congress.gov/product/pdf/IF/IF 10964 
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4 Future Vulnerabilities - Digitalization, 
Decentralization, Decarbonization 


Cybersecurity supply chain vulnerabilities for all digital components will continue to be a high priority issue 
for energy sector systems as these systems become increasingly digitized, homogenized, and remotely 
operated. Key areas of focus forthe future are described below. 


4.1 Legacy Systems 


Both legacy and new systems in the energy sector have a long lifecycle, in many cases decades. Even as 
updated technology becomes available for traditional systems, replacement cycles are slow. 


Many factors contribute to the extended timeframes. There is a limited supply of workforce with the skills 
needed to perform these upgrades. Scheduling the lead time required for replacements in legacy systems (e.g., 
a SCADA/Energy Management System suite replacement for a large transmission and distribution utility) 
takes multiple years of planning and preparation before actual cutovercan occur. Changes are subject to strict 
regulatory governance, and there are often challenges in funding investments in upgrades. Consequently, even 
in systems where high-risk cyber vulnerabilities are present, many vulnerabilities will remain unpatched and 
reliant on standoff mitigations for extended periods of time. 


4.2 Renewables, Distributed Energy Resources, and Distributed Energy 
Resource Management Systems 


Renewables, distributed energy resources (DERs), and distributed energy resource management systems 
(DERMS) (the software platforms used to manage DERs) are increasingly being introduced into the grid. This 
infusion of new technology is expected to accelerate with the prioritized focus on decarbonization to combat 
climate change. 


From an operational technology perspective, this represents a significant change in the technicalarchitecture of 
the grid, aswe move towards a model that blends a legacy centralized architecture (hub and spoke) with a new 
decentralized mesh architecture with millions of endpoints. 


From a cybersecurity perspective, the introduction of new technical architecture and integration among 
architectures changes the overall risk model for the grid. Collectively, an evolution from a cybersecurity 
approach that focuses principally on legacy asset owners to one that incorporates more emphasison endpoint 
device manufacturers and third-party integrators is needed. Cybersecurity for the global digital supply chain 
for manufacturers of consumer end point devices — such as inverters for behind-the-meter applications like 
photovoltaics — will be critical to the future cyber health of the grid. 


4.3 Remote Operations 


Remote operation of interconnected energy sectorsystems will continue and accelerate. Asset owners and the 
manufacturers who supply digital components to them have been building the capability to connect systems 
and operate them remotely for several years. This trend has been largely driven by efficiency (reducing the 
cost of continuous on-site system operators), and large investor-owned utilities (OUs) have been steadily 
homogenizing the software and operational technology of physicalassets acquired in M&A activity to enable 
remote operation of multiple physical locations. 
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The trend towards remote operation has been greatly accelerated in the past yearby the global pandemic. The 
imperative for worker safety has accelerated asset owner investments in remote operation technologies. 
Manufacturers have responded by expanding technical innovations like offering cloud-based industrial control 
systems to enable operational flexibility. Operating ICS from a third party-hosted virtual platform is not 
inherently insecure. However, operating ICS from the cloud internet significantly changes their risk posture 
and, if not securely designed, architected, commissioned, operated, and maintained, can expose a larger portion 
of critical systems to cyber risk. 


5 U.S. Priorities and Strategic Opportunities 


Both legacy and modern systems in the ESIB will continue to be at risk from cyber supply chain compromises, 
anda variety of malicious actors in cyberspace will continue to find energy systems to be an attractive target. 
Working with partners across the ESIB to secure the digital supply chains for these and future systems is a 
current and continuing priority. 


DOE, in partnership with its stakeholders across the energy sector, has spearheaded a number of programs 
currently underway to identify, prioritize, and address cyber supply chain risks in digital components in energy 
systems. These include, but are not limited, to the current initiatives described below. 


5.1 Energy Cyber Sense Program 


Section 40122 of the 2021 Infrastructure Investment and Jobs Act*} (Pub. L. 117-58) directs DOE, in 
coordination with relevant federal agencies, to develop a voluntary program to test the cybersecurity of 
products and technologies intended foruse in the energy sector, including in the bulk-power system, including 
products relating to industrial control systems and operational technologies. The strategic intent of this 
voluntary testing program is to improve the management of risks for the supply chains of key components, 
including digital components, in energy sector systems. 


5.2 Cyber Vulnerability Testing for Industrial Control Systems“ 


Under development and initialimplementa tion overthe past three years, Cyber Testing for Resilient Industrial 
Control Systems (CyTRICS)™ is DOE’s program for cybersecurity vulnerability testing and digital 
subcomponent enumeration for OT and ICS. The strategic intent of this voluntary testing program is also to 
inform improvements in supply chain risk management for key components in energy sector systems. Key 
activities, findings, and lessons learned from the CyTRICS™ program are being incorporated into the new 
Energy Cyber Sense program *> to integrate, evolve, and drive priority cybersecurity outcomes forthe ESIB. 


4% https://www.congress.gov/bill/1 17th-congress/house-bill/3 684/text 
“ https://inl.gov/cytrics/ 
4 Section 40122 of the 2021 Infrastructure Investment and Jobs Act (Pub. L. 117-58) 
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5.3 Securing Energy Infrastructure Executive Task Force*® 


Section 5726 of the National Defense Authorization Act for Fiscal Year 202047 (Pub. L. 116-92) directed DOE 
to establish a two-year pilot program within the National Laboratories, in partnership with relevant federal 
agencies, academic partners, energy sector asset owners and operators, and criticalcomponent manufacturers, 
to identify new classes of energy sector security vulnerabilities and evaluate technology and standards that 
isolate and defend industrial control systems from security vulnerabilities and exploits in the most critical 
energy sector systems. Deliverables from this task force represent foundational research and analyses that will 
be applied to improving cybersupply chain risk management in the ESIB. 


5.4 Energy Sector Software and Hardware Bill of Materials Proof of Concept® 


In January 2021, CyTRICS™ partnered with DHS, the DOE National Laboratories, industry, and academic 
partners to launch Energy Sector pilots to demonstrate digitalsubcomponent discovery, sharing, and analysis 
to enable illumination of risks associated with sub-tier suppliers. This pilot aims to accelerate efforts to 
address the underlying causes that allowed the SolarWinds compromise to occurand support implementation 
of Executive Order 14028, “Improving the Nation’s Cybersecurity.”*4° The strategic outcome for this 
continuing partnership effort is to demonstrate a better, empirical answer to the long-standing challenge of 
software supply chain visibility and sub-tier supplier visibility. 


5.5 Clean Energy Cybersecurity Accelerator°° 


DOE and the National Renewable Energy Laboratory launched the Clean Energy Cybersecurity Accelerator 
(CECA) in October 2021 to provide a third-party environment with world-class testing facilities for asset 
owners of all sizes and types to develop and deploy renewable, modern grid technologies that are not only 
cost-competitive but also demonstrate the highest level of security by design. Testing and analyses performed 
under the program will support strengthened digital supply chains for new and emerging technologies in 
energy sector systems. 


5.6 Continuing Gaps 


DOE will continue to build and evolve these and other programs to advance supply chain security for critical 
digital components in energy sector systems. Still, many structural gaps exist that impede overall progress. 
Key gaps are described below. 


5.6.1. Defining the Energy Sector Industrial Base (ESIB) 


Energy sector industries and the supply chains on which they rely are extraordinarily diverse. Increasing 
digita lization, integration, and interconnection of energy sector systems necessitates a more holistic approach 
to identifying stakeholders among whom cyber supply chain risk is shared. Adopting a holistic approach is 


“© https://www.energy.gov/ceser/national-defense-authorization-act-fiscal-year-2020- 
ndaa#:~:text=National%20Defense%20A uthorization%20 Act%20for%20Fiscal%20 Y ear%202020%20(NDAA)%2C,owners%20and%20operators %2 0and 
%20critical 

*" https://docs.house.gov/billsthisweek/2019 1209/CRPT-1 1 6hrpt333.pdf 

48 https://inl.gov/sbom-poc/ 

ad https://www.federalregister.gov/documents/2021/05/17/202 1-10460/improving-the-nations-cybersecurity 

°° https://www.nrel.gov/innovate/cybersecurity-accelerator.html 
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foundational to effectively addressing shared nisks in digital supply chains. The Defense Industrial Base offers 
some leverageable concepts that may aid in developing a holistic approach for the energy sector.>! 5? 


5.6.2 Data and Analytic Capabilities 

To understand current and emerging supply chain threats, risks, vulnerabilities, and opportunities, it is 
important to have access to supply chain data and analytical tools for decision support in building and 
maintaining resilient digital supply chains. Current information and analytical tools are fragmented, 
inconsistent, and incomplete. This is due to a lack of comprehensive definition of the ESIB and inconsistent 
formats and requirements across constituent parts. Data that are useful in conducting effective digital supply 
chains analyses include, for example, prevalence and criticality of key software, software bills of materials, 
and market share. Comprehensive and normalized data are fundamental to illuminating, analyzing, and 
baselining systemic digital supply chain risks, as well as tracking progress. 


5.6.3 Strategic Approach 

DOE does not currently have a strategy that fully addresses security for interdependent digital supply chains 
and that covers the ESIB. Because cyber supply chain risks are shared among interconnected energy systems, a 
more holistic approach is needed to effectively increase resilience and digital supply chain security. A secure 
digital component supply chain strategy could effectively identify actions to address the supply chain security 
of critical digital components used by key subsectors and companies in ESIB that are critical to U.S energy 
security. A strategic approach would enable key ESIB-wide functions including: defining and prioritizing 
critical digital supply chains; baselining and defining goals; and effective planning forchanges anticipated as 
the drive to modernize and decarbonize the grid accelerates. 


5.6.4 More Consistent Guidelines 

Fragmented and inconsistent oversight of supply chain risks for digital components in critical energy systems 
remains a gap. Policy cohesion and more consistent guidelines, standards, and processes to manage shared 
cybersecurity risks for the ESIB could address this gap. A key part of improving ESIB-wide consistency 
would include leveraging and building upon existing standards and emerging guidelines such as those 
identified in E.O. 14028, “Improving the Nation’s Cybersecurity,” in partnership with key government and 
ESIB stakeholders. 


5.7 Strategic Opportunities 
DOE will continue to prioritize programs and initiatives, pursuant to executive and legislative direction, to 


manage cybersupply chain risks forthe ESIB. Additionally, a strategic opportunity exists to develop policies 
to mana ge emerging future risks. New priorities could prioritize addressing the following elements. 


5.7.1. Securing Distributed Energy Resource Management Systems and Endpoint Devices 
As the grid is modernized and decarbonized, increasing numbers of endpoint devices — like consumer electric 
vehicle (EV) chargers — will be connected to the grid. The software used to manage and aggregate these 


>! Congressional Research Service (2021). “Defense Primer: U.S. Defense Industrial Base.” https://crsreports.congress.gov/product/pdf/IF/IF10548 
>? Congressional Research Service (2021). “Defense Primer: The National Technology and Industrial Base.” 
https://crsreports.congress.gov/product/pdf/IF/IF 11311 
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devices among traditional utilities and asset owners, third party aggregators, and consumers — Distributed 
Energy Resource Management Systems (DERMS) — will become increasingly strategically important in 
securely managing these increasingly complex, interconnected systems. Consequently, proactive security 
investments must be made to ensure the integrity of the cybersupply chain for firmware on connected devices 
and the software systems used to connect and manage them. Emerging technologies that support the energy 
sector should be developed with approaches to illuminate the risk of sub-tier suppliers in mind. 


5.7.2. Securing Virtual Platforms 

The efficiency-driven trend towards more flexible operation of ICS will continue. Consequently, the security 
of third party-hosted virtual platforms and virtual services provided to the energy sector by the ESIB will 
become an increasingly important cyber supply chain risk to manage. Modern technology architectures should 
reflect principles of security-by-design, not just in the systems themselves, but also in the digital supply chains 
that support them. 


5.7.3 Ensuring the Integrity of the Supply Chain for Data 

AI/ML use will continue to grow towards Artificial General Intelligence*? and be applied to an increasing 
number of complex daily applications, including managing the safety and efficient operation of the grid. 
Consequently, proactive investment in ensuring the integrity of the commercial global supply chain of datasets, 
AI models, and AI training will be needed to prevent malicious compromise of these critical capabilities as 
U.S. dependence on them grows. 


6 Conclusion 


As the energy sector has become more globalized and increasingly complex, digitized, and even virtualized, its 
supply chain risk for digital components — the software, virtual platforms and services, and data — in energy 
systems has evolved and expanded. 


All cyber components in U.S. energy sector systems (that is, systems within the U.S. Energy Sector Industrial 
Base) are vulnerable and may be subject to cyber supply chain risks stemming from a variety of threats, 
vulnerabilities, and impacts. Supply chain risks for digital components in energy sector systems will continue 
to evolve and likely increase as systems are increasingly interconnected, digitized, and remotely operated. 


Cyber supply chain risks for legacy systems will continue to be a priority concer requiring active and more 
holistic management and mitigation. However, as new technologies are introduced — in the form of 
renewables and distributed energy systems — and operational efficiencies — through increasing use of virtual 
platforms and the application of AI/ML — are increasingly pursued, a strategic opportunity exists to ensure that 
the supply chains for these digital assets are developed with cybersecurity in mind. 


3 https://www.dni.gov/index.php/gt2040-home/gt2040-structural-forces/technology 
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Recommended policy actions to address the vulnerabilities and opportunities covered in this report may be 
found in the Department of Energy 1-yearsupply chain review policy strategies report, “America’s Strategy to 
Secure the Supply Chain fora Robust Clean Energy Transition.” For more information, visit 
www.energy.gov/policy/supplychains. 
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Glossary 


Artificial 
Intelligence 
(Al) 


Energy 
Sector 
Industrial 
Base (ESIB) 


Industrial 
Control 
System (ICS) 


Investor 
Owned 
Utility (OU) 


Information 
Technology 
(IT) 


Machine 
Leaming 
(ML) 


Operational 


Technology 
(OT) 


A branch of computer science devoted to developing data processing systems that 
performs functions normally associated with human intelligence, such as reasoning, 
learning, and self-improvement. 


Holistic representation of the energy sector and associated supply chains that include 
all industries/companies and stakeholders directly and indirectly involved in the energy 
sector. This complex network of industries and stakeholders spans from extractive 
industries, manufacturing industries, energy conversion and delivery industries, end of 
life and waste management industries, to service industries which include providers of 
digital goods and services. These industries and associated stakeholders may be 
located within the U.S. states and territories, in foreign countries, or both. 


An information system used to control industrial processes such as manufacturing, 
product handling, production, and distribution. Industrial controlsystems include 
supervisory controland data acquisition systems used to control geographically 
dispersed assets, as well as distributed controlsystems and smallercontrol systems 
using programmable logic controllers to control localized processes. 


A privately-owned electric utility whose stock is publicly traded. It is rate regulated 
and authorized to achieve an allowed rate of retum. 


Any equipment orinterconnected system or subsystem of equipment that is used in the 
automatic acquisition, storage, manipulation, management, movement, control, 
display, switching, interchange, transmission, or reception of data or information by 
the executive agency. For purposes of the preceding sentence, equipment is used by an 
executive agency if the equipment is used by the executive agency directly or is used 
by a contractorundera contract with the executive agency which: (i) requires the use 
of such equipment; or (il) requires the use, to a significant extent, of such equipment in 
the performance of a service or the furnishing of a product. The term information 
technology includes computers, ancillary equipment, software, firmware and similar 
procedures, services (including support services), and related resources. 


The use and development of computer systems that are able to leam and adapt without 
following explicit instructions, by using algorithms and statistical models to analyze 
and draw inferences from patterns in data. 


Programmable systems or devices that interact with the physical environment (or 
manage devices that interact with the physical environment). These systems/devices 
detect or causea direct change through the monitoringand/orcontrolof devices, 
processes, and events. Examples include industrial control systems, building 
management systems, fire control systems, and physical access controlmechanisms. 
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Supervisory A generic name fora computerized system thatis capable of gathering and processing 
Controland data andapplying operational controls overlong distances. Typicaluses include power 


Data transmission and distribution and pipeline systems. SCADA was designed for the 

Acquisition unique communication challenges (e.g., delays, data integrity) posed by the various 

(SCADA) media that must be used, such as phone lines, microwave, and satellite. Usually shared 
rather than dedicated. 


Software(or The scope of activities associated with a system, encompassing the system’s initiation, 


System) development and acquisition, implementation, operation andmaintenance, and 
Development ultimately its disposalthat instigates another system initiation. 

Life Cycle 

(SDLC) 
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